Hi. sslconf, 0.8.3, is an OCaml rewrite of the NCONF library in Openssl, available for installation via OPAM. As a pure OCaml rewrite, sslconf is unikernel-ready.

sslconf parses and exposes Openssl config files as OCaml hash tables.

Currently, the OPAM async_ssl library (built on Ctypes) accepts Openssl config files only from /etc/ssl/openssl.conf, and its API calls draw on data from these config files.

An important use of config files is to hide passwords and secret data from the surfaces of command lines and environment variables. Command lines and environment variables may be read in real time by process status commands. They can also be copied to logs by auditing tools. Config files prevent these leaks.

Openssl config files are given as examples in many support posts and books, such as for X509 extensions, certificate authority specification, and Kerberos PKINIT certificates.

This rewrite should be able to read all Openssl config files, including features of the Openssl parser which are peculiar. The main peculiar feature is the possibility of line continuation characters at 512-byte offsets of very long lines, due to the parser reading lines in up to 512 byte chunks.

A feature not present in Openssl NCONF is s-expression serialization and de-serialization of result hash tables. Another is a test suite with 100% coverage, i.e., every line of the implementation, thanks to bisect_ppx reporting.

Ideally, sslconf should be used in sync with other OPAM packages, such as ocaml-certifiy for certificate creation and async_ssl for discovery of ASN.1 OIDs for names in config files.